The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the visor (clie_5_attach) driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x54c, idProduct: 0x144, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. The clie_5_attach function of the visor driver, which is called during the driver initialization process, expects an OUT-Bulk-Endpoint. Due to an incomplete sanity check, the visor driver tries to dereference null-pointers. This results in a crash of the system.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the visor (treo_attach) driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: [bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x82d, idProduct: 0x200, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1]. The treo_attach function does not use the num_ports (struct usb_serial) value for any kind of sanity checks during the initialization process. Due to an incomplete sanity check, the driver could try to dereference a null-pointer if a malformed device-descriptor is presented (zero-value for bNumEndpoints or no required endpoint-descriptors is provided). This results in a crash of the system.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of buggy USB device requiring the wacom driver. These bugs were found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptors.
The Kernel 3.10.0-229.20.1.el7.x86_64 crashes on presentation of a buggy USB device requiring the digi_acceleport driver. The bug was found using the USB-fuzzing framework vUSBf from Sergej Schumilo (github.com/schumilo) using the following device descriptor: bLength: 0x12, bDescriptorType: 0x1, bcdUSB: 0x200, bDeviceClass: 0x3, bDeviceSubClass: 0x0, bDeviceProtocol: 0x0, bMaxPacketSize: 0x40, idVendor: 0x5c5, idProduct: 0x2, bcdDevice: 0x100, iManufacturer: 0x1, iProduct: 0x2, iSerialNumbers: 0x3, bNumConfigurations: 0x1. The digi_acceleport driver does not use the num_ports (struct usb_serial) value for any kind of sanity checks during the initialization process (digi_port_init & digi_startup). Due to an incomplete sanity check, the driver could try to dereference a null-pointer if a malformed device-descriptor is presented (zero-value for bNumEndpoints or no described endpoint-descriptors). This results in a crash of the system.
During an internal code review multiple vulnerabilities were identified. The whole application misses input validation and output encoding. This means user supplied input is inserted in a unsafe way. This could allow a remote attacker to easily compromise user accounts. For example, an authenticated user sends a private message to another user. When the attacker injects JavaScript Code, it will automatically call the CSRF Proc below. The only necessary information is the user id, which can be identified easily. If the other user opens the private message menu, the JavaScript code gets executed and the Password will be changed. It is not necessary to open the message. Now the attacker can access the account using the new password.
This exploit allows an attacker to write files as root or force a perl module to load by manipulating the perl environment and running exim with the 'perl_startup' argument -ps.
There is no token check when changing a current user rank thus allowing CSRF to take place. When the code below is executed by an authenticated admin it will grant the defined user Commander/Admin rights. After CSRF has taken place you can login to your account like normal. Once logged in click 'My Profile>Administrator options>Modify Current Theme' or use site.com/members/console.php?cID=61. You can then insert the PHP code of your choosing into Footer. In order to add or edit code you are required to provide a special Admin Key that was defined during install. The key isn't needed as the check is faulty and can be left blank. Just insert your code and click Edit Theme. It will say the key was incorrect, but the PHP code is still inserted.
A critical memory corruption occurs when Adobe Digital Editions handle a specially crafted ExtGstate object, which could lead to remote code execution.
This vulnerability is related to the parsing of Authenticode in Avast. The attached PE file causes memory corruption in Avast. The memory corruption occurs when the address of the parameter is set to 0x30303030. This leads to an access violation and the execution of malicious code.
A use-after-free condition can be observed in an ASAN build of Wireshark (current git master), by feeding a malformed file to tshark. The crash occurs due to a use-after-free condition in wtap_optionblock_free wireshark/wiretap/wtap_opttypes.c:161:20. The 0x60400009d960 is located 16 bytes inside of 40-byte region [0x60400009d950,0x60400009d978) which was previously allocated by thread T0 and freed by thread T0. Shadow bytes around the buggy address show that the memory was freed.
Services By CQR